Posted by David Harley on November 12, 2015.
Facebook has been telling us a lot recently that it cares deeply about our security. And by us, it apparently doesn’t mean just Facebook users. To be fair, it does go to some lengths to help its customers to be more secure. But let’s not confuse security and privacy.
Jane Wakefield reports for the BBC on the Belgian Privacy Commission’s assertions regarding Facebook’s tracking of non-users of its services – which I assume to refer in this context to people who don’t have a Facebook account but access sites within the Facebook domain, for instance to groups and pages to which they’re directed by search engines – by installing a ‘datr’ [sic] cookie. They believe this to be in breach of EU legislation. A court agreed that
…’the information collected by the social network was personal data “which Facebook can only use if the internet user expressly gives their consent”.
Facebook claims that the cookie is “one of our best signals to demonstrate that someone is coming to our site legitimately”, and that if it isn’t allowed to use it, it will have to regard any access to its services from Belgium as ‘an untrusted login’. Nothing to do with generating web-browsing tracking data for advertising purposes, then.
Not a Facebook user? That’s what you think… The language of that response is actually pretty significant. Disregarding the threat that the company might make life more difficult for Belgian users by enforcing a complicated login process – surely Belgian Facebook users already have to authenticate to access their accounts??? – it seems that Facebook want us to think that there are two tiers of login, trusted and untrusted, rather than logged-in users as opposed to casual visitors.
The EU cookie directive does suggest that the user’s consent isn’t necessary if cookies are ‘strictly necessary for the delivery of a service requested by the user’: however, the points made by Facebook about user security don’t convince me that cookies are ‘strictly necessary’ to bolster that security, or that it’s so difficult to meet the minimal requirements for establishing consent.
David HarleyShare This: Submitted in: David Harley | Tags: Belgian Privacy Commission, datr cookie, Facebook, login, untrusted login
Top 100 Information Security Blogs
Independent news and views on the confluence of cybersecurity, politics and gaming.
We take neither advertising nor sponsorship so we can guarantee our independence.